All news with #devsecops tag

🤖 The 2025 DORA companion guide highlights that AI acts as an amplifier, boosting strengths and exposing weaknesses across teams. Drawing on a cluster analysis of nearly 5,000 technology professionals, it identifies seven foundational capabilities — including a clear AI stance, healthy and AI-accessible data, strong version control, small-batch workflows, user-centric focus, and quality internal platforms — that increase the odds of positive outcomes. The guide maps seven team archetypes to help leaders diagnose where to start and offers a Value Stream Mapping facilitation to direct efforts toward system-level constraints so AI-driven productivity scales safely.

🛡️ The EU directive NIS2, in force in Germany since 06 December 2025, risks becoming a paperwork-heavy exercise unless organisations adopt automation and DevSecOps. The article argues security must be planned and enforced by technology, using Infrastructure as Code, policies-as-code and CI/CD pipelines so controls and evidence (commits, pipeline logs, SBOMs) are revision-proof. Solutions such as CIEM, CNAPP and SIEM can centralise IAM, vulnerability and incident data so auditability is produced by the platform rather than by post-hoc Word documents.

🔐 Cloudflare describes how its Customer Zero team moved internal production account management from manual dashboard changes to a centralized Infrastructure as Code model to reduce human error and accelerate secure change. The effort uses Terraform, an Atlantis-driven CI/CD pipeline, and a custom tfstate-butler backend to securely manage state at scale. Policy enforcement relies on Open Policy Agent Rego policies executed through Conftest on every merge request, with warnings or deny gates and a formal exceptions workflow.

🛠️ Google's Application Design Center is now generally available, delivering a visual, canvas-style, AI-assisted environment to design and deploy Terraform-backed application templates. It pairs Gemini Cloud Assist with opinionated Terraform components to generate deployable infrastructure patterns and architecture diagrams. Integrated with App Hub and Cloud Hub, it makes applications discoverable, observable, and manageable, while supporting BYO-Terraform, GitOps, and enterprise governance to accelerate platform engineering and developer self-service.

🔒 AWS today announced the preview of AWS Security Agent, an AI-powered agent that automates security validation across the application development lifecycle. The service lets security teams define organizational requirements once and then evaluates architecture and code against those standards, offering contextual remediation guidance. For deployments, it performs context-aware penetration testing and logs API activity to CloudTrail; the preview is available in US East (N. Virginia). AWS states customer data and queries are not used to train models.

🔒 Security leaders must shift from gatekeeper to partner, embedding practical risk controls early in product lifecycles so teams can deliver fast without exposing the business. By defining business-language risk tolerances, standardizing identity and logging, and automating guardrails in CI/CD and infrastructure-as-code, governance becomes an accelerator rather than a bottleneck. Pre-vetted, secure-by-default templates, runtime shielding and risk-based telemetry make the secure path easier for developers while preserving production resilience.

🔧 AWS Transform is now generally available with expanded .NET modernization features that let customers convert .NET Framework and .NET code to .NET 10 or .NET Standard. New capabilities include automated UI porting from ASP.NET Web Forms to Blazor on ASP.NET Core and Entity Framework ORM porting. An enhanced IDE workflow via the AWS Toolkit for Visual Studio 2026 or 2022 provides an editable transformation plan, real‑time progress, repeatable iterations, detailed logs, and a Next Steps markdown for AI code companions.

🔒 AWS announced IAM Policy Autopilot, an open-source MCP server and CLI that analyzes Python, TypeScript, and Go code locally to generate baseline, identity-based IAM policies for application roles. It integrates with AI coding assistants such as Kiro, Claude Code, and Cursor to speed policy creation. The tool stays current with AWS services and is available at no additional cost for local use. Generated policies are intended as starting points that require review and least-privilege refinement.

🔒 Community-driven package managers like Chocolatey and Winget speed deployments but can introduce supply-chain risks when packages are added or updated without rigorous vetting. Gene Moody, Field CTO at Action1, will lead a free webinar that tests these tools in practice, highlights common weak points, and demonstrates pragmatic safeguards such as source pinning, allow-lists, and hash/signature verification. The session focuses on actionable steps to help teams prioritize updates using known-exploited vulnerability data (KEV) and to choose whether to rely on community repos, vendor sources, or a hybrid approach while maintaining operational velocity.

⚠️ Fluent Bit, a widely deployed telemetry agent, has multiple critical vulnerabilities disclosed by Oligo Security affecting inputs, tag processing and output handling. Patches are available in Fluent Bit v4.1.1 and v4.0.12 released in early October 2025; older releases remain at risk. Operators are advised to update immediately, avoid dynamic tags, lock down output file parameters, run with least privilege and mount configuration directories read-only to reduce exposure.

🔧 AWS Step Functions' TestState API now supports local unit testing of complete workflows, including advanced constructs like Map and Parallel states, without deploying state machines to AWS. Developers can mock AWS service integrations and opt into API contract validation so mocked responses align with actual service outputs, improving test fidelity. TestState calls integrate with frameworks such as Jest and pytest and can be used in CI/CD pipelines; the feature is available via the AWS SDK and CLI in all Regions where Step Functions is offered.

🔒 DevOps platforms like GitHub, GitLab, Bitbucket, and Azure DevOps accelerate development but also introduce data risks from misconfigurations, exposed credentials, and service outages. Under the SaaS shared responsibility model, customers retain liability for protecting repository data and must enforce MFA, RBAC, and tested backups. Third-party immutable backups and left-shifted security practices are recommended to mitigate ransomware, insider threats, and accidental deletions.

🔍 Cloudflare explains how they accelerated triage and reduced release delays for Salt-managed configuration changes across thousands of servers. They implemented a local job cache on minions to retain job results, built a Salt Blame execution module to correlate failed highstates with commits, releases and external outages, and automated hierarchical triage from chat. These changes removed repetitive SSH-and-log workflows, made root-cause attribution self-service for SREs, and yielded a measurable >5% reduction in time lost to Salt-related release delays while enabling ongoing analytics and feedback.

⚡ Attackers are weaponizing many newly disclosed CVEs within hours, forcing defenders to close the gap by moving beyond manual triage to automated remediation. Drawing on 2025 industry reports and CISA and Mandiant observations, the article notes roughly 50–61% of new vulnerabilities see exploit code within 48 hours. It urges adoption of policy-driven automation, controlled rollback, and streamlined change processes to shorten exposure windows while preserving operational stability.

🧪 Cloudflare has added local, isolated testing APIs for Workflows, enabling developers to introspect and mock workflow instances using the new cloudflare:test module. Available with @cloudflare/vitest-pool-workers v0.9.0+, the APIs (introspectWorkflowInstance and introspectWorkflow) let tests run offline inside the Workers runtime, mock step results and events, and preserve isolated storage for reliable, deterministic tests. This improves debug visibility, reduces flaky tests, and lets teams assert on intermediate steps without hitting external systems.

🚀 Google has open-sourced the GKE Gemini CLI extension, bringing Google Kubernetes Engine directly into the Gemini CLI ecosystem while also functioning as an MCP server for other MCP clients. The extension injects GKE-specific context, tools, and tailored prompts so developers can use shorter, more natural language interactions and integrated slash commands to complete complex workflows. It simplifies common operations—like selecting models and accelerators or generating Kubernetes manifests for inference—while improving compatibility with Cloud Observability. The project is actively maintained with regular releases and community contributions.

🚀 Amazon ECS now supports built-in linear and canary deployment strategies to give teams finer control over traffic shifts during container rollouts. Linear deployments shift traffic in equal percentage steps with configurable step percentage and step bake time, while canary deployments route a small portion of traffic to the new revision for a configurable canary bake time before completing the shift. Both strategies provide a post-deployment bake time, support deployment lifecycle hooks, and can use Amazon CloudWatch alarms to detect failures and trigger automated rollbacks. The feature is available in all commercial AWS Regions and is supported via Console, SDK, CLI, CloudFormation, CDK, and Terraform for services using ALB or ECS Service Connect.

🚀 At GitHub Universe 2025, Microsoft and GitHub presented a vision for agentic development that lets developers see, steer, and build across autonomous agents. The event introduced platform capabilities like Agent HQ, a prompt-first AI Toolkit for VS Code, and the GA release of Azure MCP Server. Announcements focused on enterprise-grade security, standards-based integration, and faster, more intuitive agent creation and governance.

🚀 AWS Elastic Beanstalk now supports Amazon Corretto 25 on the Amazon Linux 2023 (AL2023) platform, enabling developers to build and deploy applications with the newest Java 25 runtime and language features. The update brings improvements such as compact object headers, ahead-of-time (AOT) caching, and structured concurrency to Beanstalk-managed environments. Developers can provision Corretto 25 instances via the Elastic Beanstalk Console, CLI, or API, with general availability in commercial regions and AWS GovCloud (US) Regions.

🚀 AWS has announced general availability of the Amazon EC2 Capacity Reservation Topology API, providing a hierarchical, per-account view of the relative location of capacity reservations for AI/ML and HPC workloads. The API represents reservations as a network node set so customers can assess proximity without launching instances. Paired with the Instance Topology API, it enables consistent job scheduling, capacity planning, and node ranking across distributed parallel workloads and is available in most major AWS regions.